On August 11, the Federal Financial Institutions Examination Council (FFIEC) issued guidance, titled “Authentication and Access to Financial Institution Services and Systems,” which provides financial institutions with examples of effective authentication and access risk management principles and practices for customers (both business and consumer), employees, and third parties accessing digital banking services and information systems.
The FFIEC — whose voting members include representatives from the FDIC, the NCUA, the OCC, the CFPB, the Federal Reserve Board, and the State Liaison Committee — issued the guidance as an update to prior submissions from 2005 and 2011 that provided financial institutions with risk management practices related to offering internet-based products and services. The FFIEC noted two changes over the last decade that prompted this analysis: (1) the current cybersecurity threat landscape, which has necessitated an increased need for effective customer authentication, and (2) the expansion of authentication considerations beyond customers to employees, third parties, and system-to-system communications.
The guidance focuses on the following key practices in developing and maintaining an effective authentication program:
- Conducting a risk assessment for access and authentication to digital banking and information systems, which might include inventories of information systems, digital banking systems, customers, and transactions.
- Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as multifactor authentication (MFA).
- Periodically evaluating the effectiveness of user and customer authentication controls.
- Implementing layered security, which could include MFA or user time-out mechanisms to protect against unauthorized access.
- Monitoring, logging, and reporting activities to identify and track unauthorized access.
- Identifying risks from, and implementing mitigating controls for, email systems, internet access, customer call centers, and internal IT help desks.
- Identifying risks from, and implementing mitigating controls for, a data aggregator or customer-permissioned entity’s (CPE) access to a financial institution’s information systems.
- Developing and maintaining user and customer awareness and education programs on authentication risks.
- Verifying the identity of users and customers and detecting fraudulent activities, such as synthetic identities and instances of impersonation.
The guidance notes that an effective authorization program can support identity theft programs developed in compliance with the Red Flags Rule, as well as customer identification programs developed to comply with the USA Patriot Act.